Hi all, I have two X.509 certificates MUPCAGradjani.crt and MUPCARoot.crt downloaded from http://ca.mup.gov.rs/sertifikati-lat.html
Certificate path is MUPCARoot > MUPCAGradjani and I would like to validate MUPCAGradjani against the other. What I did is to convert both to PEM format and rename them by hash as efd6650d.0 (Gradjani) and fc5fe32d.0 (Root) using this script: #!/bin/bash hash=`openssl x509 -in $1 -inform DER -noout -hash` echo "Saving $1 as $hash.0" openssl x509 -in $1 -inform DER -out $hash.0 -outform PEM Now I run: $ openssl verify -CApath . efd6650d.0 error 7 at 0 depth lookup:certificate signature failure 16206:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255: 16206:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:173:</pre> Hm, that is not working. What am I doing wrong here? I am running OpenSSL 0.9.8k 25 Mar 2009 on Ubuntu 10.04 GNU/Linux. I also have my personal certificate issued by MUPCAGradjani that I would like to verify but it is failing with the same error (just one level down): $ openssl verify -CApath . qualified.pem qualified.pem: /CN=MUPCA Gradjani/O=MUP Republike Srbije/L=Beograd/C=Republika Srbija (RS) error 7 at 1 depth lookup:certificate signature failure 16258:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255: 16258:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:173:</pre> When I install downloaded certificates in Windows using Internet Explorer and doubleclick on my personal certificate (qualified.cer) it looks valid. I am not sure, but I believe it is doing certificate chain validation so the certificates and paths should be valid. After all they are issued by a trustful CA. Output of "openssl x509 -nameopt multiline,utf8,-esc_msb -noout -text -in $1" looks reasonable for both downloaded certificates and is the same before and after conversion to PEM (using -inform DER in the first case). My take on this is that I am not doing conversion properly or maybe the original certificates are in some other format requiring extra argument, but I can not find answer in the docs. How can I properly validate X.509 certificate from http://ca.mup.gov.rs/sertifikati-lat.html by certificate chain? Kind regards, Goran ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org